How to determine if your PC has the infection

1. My Visual Studio .NET 2005 was crashing a lot, and I could not get any work done using it.
2. In Firefox 3, each search result would initially redirect to a bogus ad page (I always open search results in a new tab), but clicking the search result once more would open the genuine page.
3. I could not start cmd from the XP Start/Run menu item.

How I removed this malware from my PC

1. I installed and scanned my PC with Malwarebytes’ Anti-Malware, which found the single file – in my case it was C:\WINDOWS\ukvvq.qnx – that was keeping the infection active. Manually deleting it, or letting Anti-Malware attempt to delete it, would delete it, but the file would reappear almost immediately. Don’t worry if Anti-Malware is unable to update its definitions online – this is another symptom of Gumblar – it still detects it, though as something else.
2. I ran Hijackthis (I didn’t need a scan), chose “misc tools”, and chose “delete file on reboot” for this file (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).
3. I ran regedit and deleted the registry entry (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).

I modified it heavily to use PHP regular expressions, to remove the gumblar modifications in html, php, and js files (it scans files with all extensions except .bak). Unlike rad-one’s detection script, this one yielded zero false positives for me, and eradicated the infection completely, as far as I can tell.

Here is what my script does:

1. Recurses through the whole website, excluding files and/or directories of your choosing.
2. Applies regular expressions to remove the infection from all the files (except those with the .bak extension) in each directory.
3. All modified files are backed up using the .bak extension.
4. Removes all files with paths ending in /images/image.php or /images/gifimg.php.
5. Runs in report mode by default, so you can see which files would be modified.
6. Has a “verbose” option, so you can see how each file will be modified.

It does not change directory permissions. I haven’t got around to investigating that area yet.